[strongSwan] Can I make an IPv6-over-IPv4 tunnel which does not block IPv4 traffic?

Andrew Cady strongswan.org at childrenofmay.org
Wed Sep 5 06:38:48 CEST 2012

I've found that creating an IPv6 over IPv4 tunnel between hosts
blocks traffic on the IPv4 network between those hosts (creating a
"required" security policy matching the IPv4 host -- as I understand
it).  Meanwhile, apparently IPv6 traffic on that address is not
IPSec-mandatory: if there is a keying issue, so that no SA can be
created, but the hosts are on the same LAN so that the IPv6 addresses
are routable, IPv6 traffic is transferred unencrypted.

I'd like to permit unencrypted IPv4 as usual, but require the traffic on
the tunnelled IPv6 address to be encrypted.  Is it possible to create
this configuration with Strongswan?  It seems to me the kernel allows to
create a required security policy for the IPv6 address, with an SA for
the tunnel.  Or is this a kernel level limitation with IPSec policies
in tunnel mode?  I have to admit I am a bit hazy on the underlying
mechanisms here, so any explanation would be appreciated.

(Also: although I'm testing my configuration on a LAN, where direct
IPv4 and IPv6 routes available, I intend to deploy these systems on the
wide internet, where only IPv4 will be available -- so a non-tunnel
IPv6 solution is not an option.  However, I still want unsecured IPv6
blocked, of course.)

More information about the Users mailing list